A mail server vulnerability has publicly exposed more than a year’s worth of email logs, as well as highlighted security and infrastructure issues, faced by the administrators and maintainers of controversial websites such as 8kun.
The logs, which were publicly visible before the vulnerability was patched last month, show thousands of email contacts made by 8kun administrators as well as by an address that appears to belong to 8kun owner Jim Watkins.
While it is possible to see who is emailing who and when in the logs, it is not possible to view the contents of emails.
The logs show admin accounts for the likes of 8kun and “Is It Wet Yet” (IIWY), the parent company of 8kun which is also owned by Watkins, engaging with a variety of email addresses. Many appear to show internal communications but others show contacts with apparent commercial partners and a variety of outside addresses. There are also one-off contacts with at least two law enforcement agencies.
Separately, Watkins’ email address, which was used to respond to questions regarding this article, can be seen in contact with a number of avid QAnon conspiracy enthusiasts, including one who appears to be a contract specialist in a role with the US Army. Further contacts with Q influencers with far larger followings are visible in the logs as well, although these appear to be more limited in number.
In total, the logs revealed 2,664 mail events sent from 30 addresses, that are part of Watkins’ companies, to 665 other email addresses. More than 1,100 of the mails logged came from Watkins’ own address.
The vulnerability also exposed things such as config directories, which contain details of how private data on the likes of the 8kun website is stored. Error logs, meanwhile, revealed things like SQL commands, session credentials, IP addresses and directory details on 8kun.
Although 8kun, which was previously known as 8chan, has long been known to host anonymous forums riddled with racist, neo-Nazi and anti-Semitic content as well as posts that encourage and celebrate mass shootings, it has more recently become home to the QAnon conspiracy The false and baseless theory posits that secret and satanic pedophile cabals are running the US and that a high level official known as Q is leaking information about the battle to stop these secretive, deep state groups on 8kun. Despite lacking any basis in fact, the Q conspiracy has spread across the US and beyond. QAnon adherents were pictured inside the US Senate after right-wing protesters stormed the US Capitol on January 6 and it has previously been linked with a number of violent incidents.
Yet the identity of the person or people posting on 8kun as Q for now, remains a mystery. Some, including the original founder of 8chan who has since turned against it, Frederick Brennan, have speculated that Watkins could himself be acting as Q or would at least be able to find out Q’s real identity, although Watkins has long denied this. Previous media reports, meanwhile, have suggested Watkins could be facilitating QAnon community hubs.
In an emailed response to this article, Watkins said: “I am not Qanon and don’t identify as such. That is a keyword on twitter [sic]. I am also not Q.”
A video published online shortly after a request for comment regarding this article was made last month appeared to show Watkins discussing the logs and stating that there was nothing of note in his emails. The video also contained a promotion for 8kun and Q face masks.
The vulnerable log directories were posted on the 420chan image board, as well as on Twitter, by Aubrey Cottle, the reported co-founder of Anonymous and 420chan. Cottle has declared war on QAnon, which he recently told Gizmodo was “warping minds around the world.”
Cottle discovered that Is It Wet Yet (IIWY) — a company founded, owned and operated by Watkins and which ultimately controls 8kun and other websites — was publicly exposing more than four Roundcube mail server logs it hosts and administers.
The authors of this article were able to confirm the public nature of logs due to the unpatched version of Roundcube the IIWY mail server was running. This bug is detailed in CVE-2015-5383 and was patched by Roundcube in version 1.1.2.
In response to the exposed logs, Watkins said it seems “there was a vulnerability in the Roundcube email server that I was using and I suspect thousands of other companies as well. Instead of reporting this vulnerability, I was stalked by the individual you will use as your source,” in probable reference to Cottle. Watkins continued that these logs likely impacted thousands of other companies but were released in order to “embarrass me and some of my friends and people that have emailed me.” This was not something “that should be encouraged,” he added, as well as stating he had reported the matter. Watkins also stated that the last time Bellingcat reported on him it led to people he knew being hurt, although he did not specify what reports he was referring to. The full response, which Watkins also posted to Twitter, can be seen here.
Although the exposed logs and vulnerabilities were only recently found, the date range contained in the emails would seem to imply that the exposure existed when 8kun was administered by Jim Watkins’ son, Ron.
Ron announced he was no longer 8kun admin earlier this year and has since gone on to peddle conspiracies about the results of the US election and framed himself as a technical expert. One of his recent appearances on the right-wing OANN news channel where he spoke about alleged election fraud was retweeted by President Donald Trump. We reached out to Ron Watkins for this article via Twitter direct message but did not receive a response before publication.
Mail Servers aren’t supposed to be public
Verifying the email logs was possible by reaching out to some of those contained within them. One email exchange showed Jim Watkins’ email address in touch with a reporter at HuffPo and their corrections inbox.
We asked the reporter who appeared to be involved in this correspondence if they could confirm the emails, which they did — an email was sent from Watkins to the corrections inbox at the time noted in the mail log on 25 October 2019. Bizarrely, the email contained a scrawled letter from Watkins on what appears to be parchment with Roman glyphs for the date. A tweet showing this letter was published on the IIWY Twitter account while Watkins also appeared to post a video of himself writing the letter on YouTube. We further followed up with a journalist with CNET whose email address appeared in the logs. They also confirmed to us they had been in contact with this email on the IIWY servers on the date detailed.
— Is It Wet Yet? (@isitwetyet) October 25, 2019
The email logs show a peak of activity to an unusually long string of diverse emails from the admin account at IIWY on November 26, 2019 that stands out dramatically against the rest of the data. When looking at Ron Watkins’ Twitter activity around that time, he claims to have rotated all the salts (an encryption related piece of information for accounts) and been under a distributed denial of service (DDoS) attack.
This would likely be something 8kun board owners would need to know about and may explain the long chain of emails on that day — although this can’t be conclusively confirmed without seeing the contents of the emails. Some recipients of emails from this account on November 26, 2019 include .edu accounts from Australia and Brazil. These are likely to be owned by students or people who work in academia. Again, it is not possible to know if these addresses are related to board owners.
From the logs it can also be seen that admin emails for 8chan and IIWY communicate with a large number of cock.li associated domains, a common email provider for members of the 4chan and 8kun communities.
The individual most in contact with Jim Watkins’ email address in the logs was a woman named Priscilla Adams Dumont. Between her two email addresses, DuMont exchanged 126 emails with Watkins’ account at the IIWY domain between November 2019 and August 2020.
A dig into DuMont’s web footprint reveals a Facebook page and two sparsely followed Twitter accounts registered under the emails listed for her in the 8kun logs.
Though one Twitter account is locked down, the other, formed in November, 2019 shows an active history of posting about QAnon and other conspiracies. She can also be seen engaging with popular QAnon accounts. Looking at the frequency of when Watkins and DuMont are emailing, there is a peak around April 17, 2020. Again, it’s not possible to know what the pair were emailing about, only that they were corresponding at that time. On the same day, however, DuMont’s open Twitter account tweeted that she was watching a conversation surrounding Watkins’ failed Disarm the Deep State Super PAC.
DuMont’s Twitter also shows her trying to curry donations for an organization called Redstone Arsenal Military and Civilians Club in November 2019. Her Linkedin profile further details her position as Contracting Officer of the Army Contracting Command- Redstone Arsenal in Alabama. Previously her assignment was US Army Space & Missile Defense Command in the Contract Acquisition and Management Office (CAMO).
A 2018 Facebook post from US Army Contracting Command, meanwhile, details a Priscilla Adams DuMont being awarded the Order of St Barbara. Below the post, the same Priscilla Adams DuMont Facebook account that links to the emails in the exposed logs can be seen thanking people for their congratulations in the comments.
Although the conspiracy theory suggests Q has “Q level” clearance within the strictures of the US government and access to military intelligence, the email logs do not in any way suggest this individual could be Q.
DuMont’s own public postings on Twitter, while displaying a clear enthusiasm for Q content and other conspiracies, appear to show a technical limitation as far as the use of forums such as 8kun are concerned. One tweet from November 2019 shows her asking for a link to the “Q boards on 8kun.”
She also appears to have minimal online impact or reach. Both Twitter accounts have a combined follower count of just 185, while the account that remains publicly visible hasn’t tweeted since June last year.
While it is certainly noteworthy that an individual who appears to be a contract specialist with the US Army is a keen follower of the conspiracy and in touch with the owner of the website that hosts Q posts, there is nothing in DuMont’s observed online activity that suggests she is an important cog in the story of Q. It is also not possible to know whether Watkins knows anything about her professional role.
We attempted to contact DuMont by email, on Twitter and via a phone number listed for her online to enable her to comment on the details in this story as well as ask why she appeared to be in such frequent contact with Watkins. However, we did not receive an answer or response before publication.
The logs show a number of other addresses that appear to belong to Q enthusiasts, some include popular Q terms such as WWG1WGA or link back contain the name of blogs dedicated to the subject, although none were contacted as regularly as DuMont.
Other information from the logs appear to show further communication with Q believers and influencers. For example, Watkins and DuMont appear to be involved in email exchanges with prominent QAnon figures such as: Blessed to Teach, Citizen’s IReport, The Patriot Hour, The Black Conservative, QTheMoreYouKnow, and In Pursuit of Truth. Another user included in these group emails was “The Growing Awareness,” who posts lengthy videos with titles such as, “Hospital attempted to kidnap and drug our new born.” Though not in emails with DuMont, Watkins can also be seen to be in contact with Neon Revolt, the Q evangelist with over 200k followers on Gab. We reached out to all of the QAnon figures above via the emails listed for them in the logs but did not receive any response before publication.
The logs show a further menagerie of curious email exchanges between IIWY and 8kun admin accounts which are likely largely responses to emails first received. Many have fascist, racist, or bizarre, names and domains such as: hitler.rocks, rape.lol, ni**e.rs, and many from cock.li.
One email address that starts, “adolsefstalitler” was at the domain “tfwno.gf” or “that feeling when no girlfriend.” Others appear to detail matters such as financial streams around IIWY and 8kun. These include paymentcloudinc.com, Paypal, goodstuffcoffee.com (where they sell 8chan branded coffee), P2P Printing (a Qanon merchandise company), and all of the ads related emails from ads address for 8kun.
Other addresses seemingly in correspondence with IIWY domains include various police and government agencies including the FBI, Department of Justice, Poland’s cyber-crime unit and even the Canadian child sexual abuse tipline.
There are also many emails between Watkins and contacts at Lokinet with whom IIWY has tried to create a distributed censorship resistance platform.
According to the error logs that are also exposed in the data, it is possible to see failed access attempts to the Roundcube mail servers as well. More simply put — these error logs show which email tried to login, from which IP address and at what time.
We mapped the IP addresses in the leaked error logs to their associated networking information. Somewhat surprisingly, it appeared that no two email address domains had Internet Service Provider (ISP) overlap. In other words, multiple users from different “@domains” were logging in to the same IIWY roundcube server from different IP addresses. Additionally, this appears to indicate that the same IIWY private email server was used for different organizations.
Watkins is known to own a large number of websites, domains and hosting structures. And while most addresses mapped appeared to fall under hosting providers he has previously been associated with, such as NT Technologies, others appeared to come from outside services (such as Cloudflare, AT&T and Charter) indicating that IIWY may have relied on other hosting providers periodically or reflecting the IP addresses at time of login.
What’s clear is that IIWY left critical vulnerabilities that leaked intimate information about their organizational structure as well as that of the 8kun boards themselves.
The data shows that the 8kun owner, Jim Watkins, in email contact with Q enthusiasts as well as prominent Q influencers.
Other correspondence, although not the contents of said correspondence, could be observed between IIWY addresses and their commercial partners as well as with law enforcement agencies.
Watkins has denied being Q. These logs do not provide any hint as to the identity of the person or people posing as Q, which remains a mystery.